Claude.ai Walkthrough
You cannot use a tool effectively if you do not know what the buttons do. This module is the interface walkthrough — every feature in claude.ai explained with its operational purpose, not just its label. By the end, you will have completed a real task and understand which features matter for your work.
The conversation interface
When you open claude.ai, you see a text input box and a conversation pane. This is where most people stop exploring. The interface has significantly more capability than a chat box.
The input area accepts text, files (drag-and-drop or click to upload), and images. You can paste structured data (CSV, JSON, XML) directly into the text box or upload it as a file. For security work, uploading files is usually better — it preserves formatting, especially for log data and structured exports.
Supported file types: PDF, DOCX, TXT, CSV, JSON, XML, HTML, images (PNG, JPG, WEBP), and code files in most languages. The practical limit is context window size, not file type. A 50-page PDF works fine. A 500-page PDF may exceed the context window — Claude will process what fits and lose the rest.
The conversation pane shows your messages and Claude’s responses in sequence. Each response can be: copied (click the copy icon), retried (click the retry icon — Claude generates a fresh response), and rated (thumbs up/down — this feeds back to Anthropic’s training).
Plans — what you get at each tier
| Feature | Free | Pro ($20/mo) | Max ($100/mo) | Team ($30/user/mo) | Enterprise |
|---|---|---|---|---|---|
| Sonnet access | ✅ Limited | ✅ Higher limits | ✅ Highest limits | ✅ High | ✅ Custom |
| Opus access | ❌ | ✅ | ✅ | ✅ | ✅ |
| Haiku access | ✅ | ✅ | ✅ | ✅ | ✅ |
| Projects | ❌ | ✅ | ✅ | ✅ | ✅ |
| Web search | ✅ Limited | ✅ | ✅ | ✅ | ✅ |
| File uploads | ✅ | ✅ | ✅ | ✅ | ✅ |
| Extended Thinking | ❌ | ✅ | ✅ | ✅ | ✅ |
| Memory | ❌ | ✅ | ✅ | ✅ | ✅ |
| Artifacts | ✅ | ✅ | ✅ | ✅ | ✅ |
For security professionals: Pro is the minimum useful tier. Projects (persistent context for ongoing work) and Extended Thinking (deeper reasoning for complex analysis) are the features that transform Claude from a chatbot into a work tool. Production security work needs Pro at minimum.
For team deployments: Team plan adds admin controls, shared Projects, and no training on your data by default. If you are using Claude for Security Operations across a team, the Team plan provides the data handling guarantees you need for compliance.
Projects — persistent context across conversations
Projects are the single most important feature for professional use. A Project is a container that holds: a custom system prompt (instructions that apply to every conversation in the project), uploaded documents (reference material available across conversations), and conversation history.
Why Projects matter for security work:
Create a project called “Security Operations” with: your organisation’s KQL naming conventions as a system prompt instruction, your detection rule template as a reference document, and your IR report format uploaded as a document. Every conversation in the project inherits this context — Claude knows your conventions, your templates, and your style without you re-explaining each time.
Practical project examples:
| Project Name | System Prompt Contains | Documents Uploaded |
|---|---|---|
| Security Operations | KQL style guide, alert naming convention, Sentinel workspace details | Detection rule template, IR report template |
| Compliance Work | NIST CSF 2.0 control IDs, organisation’s control mapping format | Current control matrix, gap analysis template |
| Incident IR-2026-04 | Incident context, timeline constraints, sanitisation requirements | Exported logs (sanitised), previous report drafts |
| Policy Drafting | Organisation tone, formatting standards, regulatory context | Existing policy library, framework requirements |
Creating a project: Click the Projects icon in the left sidebar → “New Project” → name it → add system prompt (Project Instructions) → upload reference documents (Project Knowledge) → start a conversation.
Artifacts — structured output you can use
When Claude generates code, documents, or structured content, it can present the output as an Artifact — a standalone, rendered panel that appears alongside the conversation. Artifacts are: editable (you can modify the content directly), downloadable, and iteratable (ask Claude to modify the artifact in subsequent messages).
For security work, Artifacts are how you get usable output:
Ask Claude to write a KQL detection rule → it appears as a code Artifact you can copy directly into Sentinel. Ask Claude to draft an IR report section → it appears as a document Artifact you can download as markdown. Ask Claude to create a decision flowchart → it appears as a rendered SVG you can embed in documentation.
Limitation: Artifacts are ephemeral within a conversation. If you close the conversation, the Artifact is in the conversation history but not saved as a standalone file. Download or copy artifacts when you create them.
Extended Thinking — when Claude needs to reason
Extended Thinking gives Claude a “thinking step” before responding. Instead of immediately generating output, Claude first reasons through the problem internally, then produces a more considered response.
How it works: When you enable Extended Thinking (toggle in the message input area), Claude allocates additional processing to an internal reasoning chain before generating the visible response. You see a “Thinking…” indicator while this happens. The thinking content is not shown by default — you can expand it to see Claude’s reasoning process.
When to enable Extended Thinking:
- Complex KQL queries with multiple joins, nested conditions, or cross-table correlation
- Attack timeline reconstruction from ambiguous or contradictory log data
- Risk assessment with competing priorities and trade-offs
- Investigation conclusions where the evidence supports multiple interpretations
- Any task where Claude’s first-attempt response is shallow or misses nuance
- Detection rule logic that must handle edge cases correctly
When Extended Thinking is unnecessary:
- Formatting or reformatting text
- Simple summarisation
- Straightforward KQL (single table, basic filters)
- Template-based document generation
- Quick factual questions
Extended Thinking in practice — security example:
Without Extended Thinking: “Write a KQL query to detect token replay” → Claude produces a basic SigninLogs query with IP comparison. Functional but shallow.
With Extended Thinking: same prompt → Claude reasons through: “Token replay can appear in both interactive and non-interactive logs. I need to check both tables. The user’s legitimate IP might change (VPN, mobile). I should exclude the corporate IP watchlist. The authentication requirement field distinguishes replayed tokens from fresh authentication…” → produces a query that checks both tables, handles edge cases, and includes tuning notes.
The difference is not always dramatic for simple tasks. For complex analysis, it is the difference between a surface-level response and one that accounts for the nuances an experienced analyst would consider.
For the most complex security analysis — reconstructing a multi-stage attack from fragmentary evidence, writing a comprehensive PIR with root cause analysis, or designing a detection strategy for a novel technique — use Opus with Extended Thinking enabled. The combination provides the deepest reasoning Claude can produce. Reserve it for tasks where depth matters more than speed.
Web search — compensating for the knowledge cutoff
Claude can search the web during a conversation when the feature is enabled. This partially compensates for the knowledge cutoff (May 2025) by retrieving current information.
Good uses for web search in security work:
- “What CVEs were published for Exchange Online in the last 3 months?”
- “Has Microsoft renamed the Defender for Endpoint alert API?”
- “What is the current MITRE ATT&CK technique ID for AiTM phishing?”
Limitations: Web search results are not guaranteed to be accurate. Claude may retrieve outdated pages, interpret results incorrectly, or miss the most relevant source. Treat web-search-augmented responses as leads to verify, not as authoritative answers.
Memory — persistent preferences
Memory allows Claude to remember facts about you across conversations (outside of Projects). You can tell Claude your preferences — “I work in KQL and PowerShell, my Sentinel workspace uses the Monokai theme, I prefer UK English” — and it retains this across future conversations.
For security professionals: Set memory preferences for: your preferred query language (KQL), your Sentinel workspace naming conventions, your organisation’s compliance framework (NIST/ISO/SOC2), your report formatting preferences, and your technical depth level (“I am a senior SOC analyst — skip the basics”).
Completing a real task — your first Claude security workflow
Open claude.ai. Paste the following prompt:
Try it yourself
I need a KQL query for Microsoft Sentinel that identifies
sign-in attempts from IP addresses that appear in both
successful and failed sign-ins within the last 24 hours.
This pattern may indicate password spraying followed by
successful compromise.
Requirements:
- Use SigninLogs table
- Group by IP address
- Show IPs with both ResultType 0 (success) and non-zero (failure)
- Include count of successes and failures per IP
- Sort by success count descending
- Exclude IPs with fewer than 5 total attempts
Claude should produce a working KQL query using SigninLogs, summarizing by IPAddress with conditional counts for success (ResultType == 0) and failure (ResultType != 0), filtered by the threshold. The query should be syntactically valid and directly pasteable into Sentinel Advanced Hunting.
Verify before deploying: Check that the column names match your Sentinel schema. Check that the time range (ago(24h)) matches your investigation window. Run the query in your lab tenant first.
What you just did: Used Claude to generate a production-oriented KQL query for a real security use case. The prompt included context (what the query is for), requirements (specific technical constraints), and output expectations. Module F3 teaches you to structure every prompt this way.
Knowledge checks
Check your understanding
1. You create a Project called "Security Operations" and upload your IR report template. What happens when you start a new conversation in that Project?
2. You ask Claude to write a complex KQL query with 3 table joins and conditional logic. The output is shallow and misses edge cases. What feature should you enable?
3. Your organisation is considering Claude for SOC team use. Which plan provides admin controls and data handling guarantees?
Key takeaways
Projects are non-negotiable for professional use. Set up a project for each major work area. Upload reference documents. Write a system prompt. Every conversation inherits the context.
Artifacts produce usable output. KQL queries, report sections, and flowcharts appear as standalone panels you can copy, edit, and download. Use them — they are the mechanism for getting work product out of Claude.
Extended Thinking improves complex work. Enable it for multi-step reasoning, complex queries, and nuanced analysis. Skip it for formatting and simple tasks.
Choose the right plan for your context. Pro for individual professionals. Team for Team deployments. Free for evaluation only.